Source: Set-up.exe.7652.0.memstrmin |
Malware Configuration Extractor: Cryptbot {"C2 list": ["elevenvx11pn.top", "~elevenvx11pn.top", "analforeverlovyu.top", "zx11pn.top", "|Xl@elevenvx11pn.top"]} |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_006615B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_006615B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9414B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_6C9414B0 |
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: Set-up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea ecx, dword ptr [esp+04h] |
5_2_006681E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9BAC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9BAD20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9BAD20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6C9E2EF0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C95AF80 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6CA1F960h |
5_2_6C95E8C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C96E490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C96E490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C9604F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, ecx |
5_2_6C9E04E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C960610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C96A790 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C96A790 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C96A720 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C960010 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [6CA1D014h] |
5_2_6CA14110 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C96C2C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C964203 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6C9E8250 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C96A3A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C96A3A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C96A330 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9BBDF0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+04h] |
5_2_6C999F90 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9BBF50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C97B987 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C97B98B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C999910 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C9F9900 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9BBAC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C9B7AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] |
5_2_6C96D424 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6CA1DFF4h |
5_2_6C9B3440 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+08h] |
5_2_6C96D5A4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6C9B35F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+04h] |
5_2_6C96D724 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C96D050 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6C9D7100 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9BB280 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C96D2B4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
5_2_6C9B93B0 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49706 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49709 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49708 -> 185.244.181.140:80 |
Source: Malware configuration extractor |
URLs: elevenvx11pn.top |
Source: Malware configuration extractor |
URLs: ~elevenvx11pn.top |
Source: Malware configuration extractor |
URLs: analforeverlovyu.top |
Source: Malware configuration extractor |
URLs: zx11pn.top |
Source: Malware configuration extractor |
URLs: |Xl@elevenvx11pn.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary71095901User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: elevenvx11pn.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary18234966User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 90016Host: elevenvx11pn.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary50062139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 34443Host: elevenvx11pn.top |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary71095901User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: elevenvx11pn.top |
Source: Set-up.exe, 00000000.00000003.1484449204.00000000007DC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://elevenvx11pn.top/v1/upload.php |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: NrIpUDVFuuHZveDEtrIh.dll.0.dr |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: Set-up.exe |
String found in binary or memory: https://serviceupdate32.com/update |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C959B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, |
5_2_6C959B99 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C959B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, |
5_2_6C959B99 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_006651B0 |
5_2_006651B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_00663E20 |
5_2_00663E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C94CD00 |
5_2_6C94CD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA04E80 |
5_2_6CA04E80 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C94EE50 |
5_2_6C94EE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C950FC0 |
5_2_6C950FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C990870 |
5_2_6C990870 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C982A7E |
5_2_6C982A7E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C984490 |
5_2_6C984490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9544F0 |
5_2_6C9544F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C980580 |
5_2_6C980580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C978570 |
5_2_6C978570 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C972110 |
5_2_6C972110 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C98FE10 |
5_2_6C98FE10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C981E40 |
5_2_6C981E40 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C955880 |
5_2_6C955880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C98D99E |
5_2_6C98D99E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C99DA20 |
5_2_6C99DA20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C96F510 |
5_2_6C96F510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9796A0 |
5_2_6C9796A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9877D0 |
5_2_6C9877D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9570C0 |
5_2_6C9570C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C943000 |
5_2_6C943000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9811BE |
5_2_6C9811BE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9912C0 |
5_2_6C9912C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C98F3C0 |
5_2_6C98F3C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CA13490 appears 45 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CA0AB60 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CA15980 appears 83 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CA15A70 appears 77 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CA138D0 appears 38 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CA13310 appears 42 times |
|
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Mutant created: \Sessions\1\BaseNamedObjects\CuDNObfgqmczoBnKhtUp |
Source: Set-up.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Set-up.exe, 00000000.00000003.1526107515.000000000332D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: unknown |
Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dlnashext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wpdshext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: nripudvfuuhzvedetrih.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: nripudvfuuhzvedetrih.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: nripudvfuuhzvedetrih.dll |
Jump to behavior |
Source: Set-up.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: Set-up.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c7600 |
Source: Set-up.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671400 |
Source: Set-up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_00668230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, |
5_2_00668230 |
Source: Set-up.exe |
Static PE information: section name: .eh_fram |
Source: service123.exe.0.dr |
Static PE information: section name: .eh_fram |
Source: NrIpUDVFuuHZveDEtrIh.dll.0.dr |
Static PE information: section name: .eh_fram |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_0066A499 push es; iretd |
5_2_0066A694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C988C2A push edx; mov dword ptr [esp], ebx |
5_2_6C988C3E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9B4DB0 push eax; mov dword ptr [esp], ebx |
5_2_6C9B5018 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C994DC1 push eax; mov dword ptr [esp], ebx |
5_2_6C994DD5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C986E03 push edx; mov dword ptr [esp], ebx |
5_2_6C986E17 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C994FA1 push eax; mov dword ptr [esp], ebx |
5_2_6C994FB5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C99285C push edx; mov dword ptr [esp], ebx |
5_2_6C992870 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9A8850 push eax; mov dword ptr [esp], ebx |
5_2_6C9A8E4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C990852 push eax; mov dword ptr [esp], ebx |
5_2_6C990866 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9BE860 push eax; mov dword ptr [esp], ebx |
5_2_6C9BE98B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9C29A0 push eax; mov dword ptr [esp], ebx |
5_2_6C9C2CD4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9C29A0 push edx; mov dword ptr [esp], ebx |
5_2_6C9C2CF3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9F09E0 push eax; mov dword ptr [esp], edi |
5_2_6C9F0B5A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9BEAC0 push eax; mov dword ptr [esp], ebx |
5_2_6C9BEBE3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C994BE1 push eax; mov dword ptr [esp], ebx |
5_2_6C994BF5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9804BE push eax; mov dword ptr [esp], ebx |
5_2_6C98048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9804AD push eax; mov dword ptr [esp], ebx |
5_2_6C98048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9864A3 push edx; mov dword ptr [esp], ebx |
5_2_6C9864B7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C998451 push 890005EAh; ret |
5_2_6C998459 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C980452 push eax; mov dword ptr [esp], ebx |
5_2_6C98048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9D0460 push eax; mov dword ptr [esp], ebx |
5_2_6C9D07FF |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C98A527 push eax; mov dword ptr [esp], ebx |
5_2_6C98A53B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C961AAA push eax; mov dword ptr [esp], ebx |
5_2_6CA16622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C961AAA push eax; mov dword ptr [esp], ebx |
5_2_6CA16622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C98A6F7 push eax; mov dword ptr [esp], ebx |
5_2_6C98A70B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C966098 push eax; mov dword ptr [esp], ebx |
5_2_6CA16622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9940D5 push ecx; mov dword ptr [esp], ebx |
5_2_6C9940E9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C966003 push eax; mov dword ptr [esp], ebx |
5_2_6CA16AF6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C966003 push edx; mov dword ptr [esp], edi |
5_2_6CA16B36 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9881E5 push edx; mov dword ptr [esp], ebx |
5_2_6C9881F9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C980290 push eax; mov dword ptr [esp], ebx |
5_2_6C98048A |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Evasive API call chain: CreateMutex,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
API coverage: 1.1 % |
Source: C:\Users\user\Desktop\Set-up.exe TID: 7764 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8152 |
Thread sleep count: 809 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8152 |
Thread sleep time: -80900s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dev.azure.comVMware20,11696497155j |
Source: Set-up.exe |
Binary or memory string: VMware |
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: global block list test formVMware20,11696497155 |
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: turbotax.intuit.comVMware20,11696497155t |
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155 |
Source: Set-up.exe |
Binary or memory string: navigatoradatwofactor.xlsbackupsOfficeXuanZhi9OriginmailGraphicsCachexrpWebStorageToastNotificationManagerCompatService WorkerejbalbakoplchlghecdalmeeeajnimhmLGHUBstremiotokencoinMetro\aholpfdialjgjfhomihkjbmgjidlcdnoVisual Studio SetupDropbox.jpgproductionMacromedia.txtLocal StorageCiscoSparkLauncherFACEITuser_dataUTC--2slobs-clientpkgsvcpkg.ElectrumpreferencesAutoHotkeyOlk\SlackEOS-Webcam-UtilitynavigationZWSOFTProcess Hacker 2avaxClickUpBlueStacks XReasonLabs\Blizzarduser_data#2carteira.IdentityService.jappsrvPicturesUXPWindows Server 2012 %wSwallet.datTerminalUpdateResourcenlbmnnijcnlegkjjpcfjclmcfggfefdmbilletera.pwdHotta\optimization_guide_prediction_model_downloadsPowerPointclaveswapiTop PDFSegmentation Platformthumbnailsdoge.pdfCaphyonWindows StoreEpsonSession StorageCanonbinanceViberdaidotContent-Type: multipart/form-data; boundary=----Boundary%lucom.adobe.dunamisUbisoftcodeDisc_Soft_FZE_LLCVodafoneElevatedDiagnosticscacheklnaejjgbibmhlephnhpmaofohgkpgkdBGAHelperLibCredentials.weasisUniSDKegjidjbpglichdcondbcbdnbeeppgdphPackages%d x %defbglgofoippbgcjepnhiblaibcnclgkAdguard_Software_Limited%.2f MB (%.2f GB)hdokiejnpimakedhajhdlcegeplioahdUserBenchmarkformhistory.sqliteFPSChessticketfactorIdentityCachedotnetsrcMotABBYY...Iq-TeamreposDocumentsVirtualBoxAuthcookies.sqlite.ipythonTikTok LIVE StudiointegrationsExodus\MessengerBlendCitraIntel(R)2FAEdgeUpdate360TotalSecurityFlash Playerbalena-etcherAdguard Software LimitedbhhhlbepdkbapadjdnnojkbgioiodbicUnrealEngineDropboxElectronCrashReportsAutoItGraineRealPlayerEpicGamesLauncher\.anacondaHoYoverse\ljfoeinjpaedjfecbmggjgodbgkmjkjkApkProjectsOneAuthConfigToolbarwindowParams.jsonmcohilncbfahbmgdjkbpemcciiolgcgeNetworklinkChaveshared_proto_dbPC HelpSoft Driver Updaterexodus.walletDownloaded InstallationsAMS SoftwarechainookjlbkiijinhpmnjffcofjonbfbgaocDiagnosticsMetaQuotesWindows Server 2012 R2 %wSuser_data#32 FAWindows Live ContactsNVIDIA Corporation\fhmfendgdocmcbmfikdcogofphimnknoAdobejaxSupportAshampoo.android.docbackuptrxApplicationInsightsLibraryWebTorrentarduino-ideGitKrakensidMPC-HCtbs_cache\microAppstronWinRARTerminal Server ClientTencentlogins.jsonAviraportefeuillehpglfhgfnhbgpjdenjgmdgoeiappaflndaoCanva.kdbcanva-updaterNotiondeemix MusicClassicShellkkpllkodjeloidieedojogacfhpaihohbhghoamapcdpbohphigoooaddinpkbaisecretdictionariesVMwarebtcLocal StoreGitHub DesktopPanasonicSidify Music ConverterMSOIdentityCRL.jpegusdblockNeteasehtxsentryFavoritesJD |